To configure Single logout in AAD, begin by enabling SLO in Kantega SSO from the Single Logout menu. As of Kantega SSO 3.5.0 the logout URL should be populated already and you can simply enable SLO and click save.
If the SAML provider logout URL for AAD isn't already configured, this must be configured first:
If the AAD logout URL isn't specified already, you will either need to input this directly in the form Single Logout configuration input, or refresh AAD metadata which we'll do here.
Navigate to the Metadata menu. If the metadata URL is already filled you can simply click Save to do the refresh.
Otherwise, you will first need to either obtain the "App Federation Metadata Url", or upload "Federation Metadata XML" as a file (or use XML cut&paste) from AAD. This can be obtained via the AAD management portal. Log into https://portal.azure.com then navigate to Azure Active Directory >> Enterprise Applications >> Atlassian app. Then select Single Sign-on from the menu.
After refreshing metadata, the Single Logout menu page should have a logout URL and you can enable SLO and continue with setup.
Once SLO has been enabled and the AAD logout URL configured, you now have partial Single Logout (IDP): Users can click "Logout in" the Atlassian app and be signed out of the app and the IDP. The user will land on AAD's logout confirmation page.
A logout URL can optionally be configured for each SP (e.g. Jira, Confluence) in AAD. This should enable real but it does not work. AAD correctly notifies one session participant but won't accept LogoutResponse messages from that entity on its own endpoint, so the protocol breaks down. It works as a basic return URL as long as there is only a single session participant, which is pretty much useless..
Locate the Basic SAML configuration card and click to edit.
To fill the logout URL, either save Service Provider Metadata from Kantega SSO (Obtained from "URLs and cert for IDP setup") and upload to AAD as shown below, or simply cut&paste the Logout URL manually.